Previous articles of this Windows Server 2012 series reviewed the implementation and management of Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services. Even though the closed relationship between these two services was stressed, the articles concentrated on managing them separately using the DNS tools for DNS and the DHCP tools for the DHCP service.

Windows Server 2012 introduces a brand new feature that allows network administrators to aggregate multiple DNS and DHCP servers and manage them from a centralized location. Welcome to Internet Protocol Address Management (IPAM).

This article examines how IPAM works in Windows Server 2012 along with its benefits and limitations; we will walk thru the step-by-step IPAM installation and configuration in a network environment where domain controllers, DNS and DHCP servers are already up and running.

The Need for IPAM

The more IP-enabled devices in a network, the greater the need for a system to document, manage, and monitor the IP address space that allows those devices to access network resources. Tracking IP addresses and DNS names throughout an enterprise network becomes a real challenge when several DNS and DHCP servers are involved across multiple locations. Third-party solutions to this issue have been around for quite a while but Windows Server 2012 is the first Microsoft server operating system that provides built-in IPAM functionality. However, IPAM is not enabled by default; it must be installed as a server feature using Server Manager, Windows PowerShell or the Deployment Image Servicing and Management (DISM) command-line tool.

The IPAM feature on Windows Server 2012 is a centralized tool from which a system administrator can discover, audit, monitor, and manage IPv4 and IPv6 addresses while maintaining a wide-ranging view of where IP addresses are used in the network. This is possible because IPAM supports the management and surveillance of DHCP and DNS servers while collecting information from domain controllers and network policy servers. That information feeds the Windows internal database and is critical for IPAM to function.

* By enabling tracking and forecasting of the IP address space, the IPAM centralized console helps to optimize the IP address utilization and manage capacity planning for DNS and DHCP.

IPAM modular approach

IPAM installation automatically includes a server and a client component. The server side executes the data collection from DHCP, DNS, domain controllers and network policy servers. It also administers the Windows internal database and provides role based access control (RBAC). All the heavy lifting is done on the server side. The client software supplies the interface to interact with the IPAM server; it relies on Windows PowerShell and Windows Remote Management to perform DHCP configuration and DNS monitoring. It is possible to install the IPAM client separately.

The IPAM server runs four major modules to provide most of its functionality:

* IPAM discovery. This module uses active directory domain services (AD DS) to discover and enumerate Windows Server 2008 with SP2 or later servers running DNS, DHCP or AD DS. You can manually add or delete servers and define a custom scope within a domain or forest.

* IP address space management. The IPAM address space management (ASM) is used to view, monitor, and manage dynamic, static, public, and private IP addresses. It allows tracking IP addresses and displaying utilization trends, thus making it possible to have more accurate forecast, planning, accountability, and control of the IP address space. By using IPAM, it’s easier to detect overlapping IP address ranges across multiple DHCP servers, identify free IP addresses within a range, and perform routine tasks like creating DHCP reservations and DNS records.

* Multi-server management and monitoring. IPAM tracks the service status of the DNS and DHCP servers on the network. By aggregating multiple DHCP servers the multi-server management (MSM) module enables an administrator to perform editing and configuration of important properties on multiple DHCP servers and scopes. It also facilitates surveillance and tracking of DHCP service status and utilization of DHCP scopes. IPAM allows monitoring the condition of a DNS zone on multiple DNS servers by exposing the collected status of a zone across all authoritative DNS servers.

* Operational auditing and IP address tracking. Configuration problems can be avoided or minimized byusing theIPAM auditing tools. Administrators can gather, oversee and display details of configuration changes on DHCP servers that fall within an IPAM scope. IPAM can extract IP address lease tracking information from the DHCP servers lease logs as well as logon and logoff related events from domain controllers and network policy servers.

* IP address utilization trends are available only for IPv4 (No option for IPv6).

* IP address reclamation support is available only for IPv4 (No option for IPv6).

* IPAM does not support auditing of IPv6 address.

* IPAM cannot be configured to check for IP address consistency on network routers and switches.

* IPAM does not allow the configuration of a database purge policy. Data must be purged manually.

* IPAM does not support non-Microsoft network devices, operating systems, or services.

* An IPAM server can only operate within one active directory forest.

* IPAM servers do not share database information or interchange configuration information with one another.

IPAM implementation guidelines and requirements

* The IPAM feature must be enabled on a Windows Server 2012 computer that is a member of a domain.

* IPv6 must be enabled in order to manage IPv6 addresses.

* A domain account with proper privileges is needed to administer an IPAM Server.

* The enterprise and domain administrator accounts have unrestricted access to IPAM administration.

* When IPAM is enabled, several domain local IPAM security groups are created on the IPAM server.

* The IPAM security groups are configured with the required permissions to access or manage different IPAM functionalities. These groups may be used to delegate tasks and responsibilities to other users.

* Microsoft recommends IPAM to be a single purpose server. It discourages the installation of other roles such as DNS or DHCP on the IPAM server.

To demonstrate the installation and configuration, I have three main Windows 2012 Servers: DC-DNS1 is a domain controller with the DNS server role installed. DHCP1 is the DHCP server in the network, and a server conveniently named IPAM-Server that will be running the IPAM Server and client components. DHCP1 and the IPAM-Server are members of the lanztek.com domain. We will review four main phases of the IPAM installation and configuration process.

Phase 1 – Installing the IPAM feature

On IPAM-Server, in the Server Manager Dashboard, click Add roles and features.

In the Add features that are required for IP Address Management (IPAM) Server popup, click Add Features, and then click Next.

On the Confirm installation selections page, click Install.

That completes the IPAM feature installation.

Phase 2 – Configure IPAM–related GPOs

Now that we have the IPAM feature installed on this server, our next step is to configure the IPAM related Group Policy Objects (GPO) that are necessary to work with the managed servers on the network.

On the IPAM-Server, in the Server Manager Navigation pane, click IPAM.

In the IPAM Overview pane, click Connect to IPAM server, Connected toIPAM-SERVER.LANZTEK.COM, and then click OK.

Click Provision the IPAM server, and then click Next

On the Select provisioning method page, ensure that the Group Policy Based method is selected, in the GPO nameprefix box, type IPAM, and then click Next.

On the Confirm the Settings page, click Apply and wait until provisioning is completed.

Phase 3 – Configure IP management server discovery

Once provisioning is successfully completed, we move to configure and activate server discovery to allow IPAM to find the DNS and DHCP servers that we want to centrally manage.

The discovery may take several minutes, the yellow bar indicates when is done.

Phase 4 – Configure managed servers

Now we are ready to work with DNS and DHCP servers discovered by IPAM on the execution of phase 3.

In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.

Notice that the IPAM Access Status is blocked. At this point the IPAM server has not yet been granted permission to manage these servers via Group Policy.

On the taskbar, right-click the Windows PowerShell icon, right-click Windows PowerShell, and then click Run as Administrator.

At the Windows PowerShell prompt, run the following command. Type Y, when you are prompted to confirm the action.

Once the command is complete, we can go back to Server Manager and in the details pane, right-click DC-DNS1, and then click Edit Server. In the Add or Edit Server dialog box, set the Manageability status to Managed, and then click OK.

Switch to DC-DNS1, on the taskbar, click the Windows PowerShell icon, and at a Windows PowerShell prompt, type Gpupdate /force, and then press Enter.

Switch back to the IPAM-Server. In Server Manager, in the IPAM console, right-click DC-DNS1, and then click Refresh Server Access Status.

Repeat steps 5 and 6 to unblock the DHCP1 server.

In the IPAM Overview pane, click Retrieve data from managed servers. This task may take several minutes to finish.

Phases 1 thruugh 4 are necessary to install and configure IPAM to operate in our domain environment. After IPAM successfully retrieves the data from the managed servers we can use the IPAM centralized console to manage our DHCP and DNS servers. Below is an example of how to configure a DHCP scope from IPAM.

Configure and verify a new DHCP scope with IPAM

On the IPAM-Server, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers.

In the details pane, right-click the instance of DHCP1.lanztek.com that contains the DHCP server role, and then click Create DHCP Scope.

On the IPAM-Server, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers. Right-click DHCP1 and select LaunchMMC.

Notice that the scope has been created.

Many other DHCP and DNS related tasks can be executed from the IPAM server. IPAM relies on the task scheduler to periodically gather information from DNS, DHCP, domain controllers and network policy servers. An administrator can also retrieve data at any time from these servers by exercising the Retrieve All Server Data option. It is important to note that IPAM is an agentless technology that does not install any special software on other computers. Instead, it uses Windows Remote Management to communicate, manage, monitor and collect data from the managed servers.

In this article we explored the IPAM implementation on Windows Server 2012, including its main components, requirements, benefits and limitations. The installation and configuration was coveredthroughfour key phases that comprised of installing IPAM, configuring IPAM-related GPOs, configuring IP management server discovery and configuring managed server. IPAM is a very valuable feature in large networks where it can be used to reduce the complexity of managing multiple DNS and DHCP servers across the enterprise.

Wilfredo Lanz is a senior systems engineer with various Microsoft and Cisco Network certifications. He has more than15 years experience in installation, design, administration, configuration and troubleshooting of LAN/WAN infrastructure and security using Cisco Hardware and Microsoft enterprise software. In the last few years he has been more involved on data center, cloud computing and virtualization projects.
Besides his field work, Wilfredo expends time developing educational material intended for labs and training environments. His latest courseware “Network Security and Protocols for Industrial Applications,” is being used by California State University at Fullerton.

Nice! the best i have seen so far on this new server 2012 feature. Great Job, now i can try in my test lab.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Does your employer pay for training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam